Quishing: QR Code Phishing

Phishing has been one of the biggest attack vectors on businesses and individuals for a long time. The complexity of these attacks has evolved along with new technologies and one of the newest and most dangerous varieties is QR code phishing (quishing). Quishing utilizes QR codes to send a victim to a malicious website or attempt to get them to download malware. One of the many dangers that goes along with quishing is the amount of creativity that can be used with the placement of the QR code they can be used digitally or printed out and put somewhere physically like a poster. This paper will investigate how quishing attacks operate, the reason that they are so effective and mitigations people can use to protect themselves and their businesses.

The Rise of QR Code Attacks

QR codes were created to have a convenient way to advertise websites and applications (Nadeau, n.d.). When these QR codes are paired with normal phishing tactics they become an efficient way for cybercriminals to carry out attacks. Since QR codes are just images with embedded URLs they bypass a lot of standard security measures that are meant to detect malicious attachments through email (Cloudflare, n.d.). This makes quishing much more effective for attackers to use over email services since they are less likely to get flagged. Quishing is a relatively new form of phishing QR codes started to gain more traction during the COVID-19 pandemic while people were trying to avoid touching public resources (Nadeau, n.d.). It became common to see QR codes used on the bottom of receipts to pay for a meal or review a store's service. Another common use for QR codes was to view menus at a restaurant so waiters didn't have to clean menus repeatedly during the pandemic. But now with the pandemic being over it is more common to see QR codes for advertising. With the growth in the use of QR codes quishing attacks have become more effective. As people become more comfortable using QR codes for everyday tasks they begin to not question their possibly malicious uses.

Why Quishing is So Effective

One huge perk of using quishing as an attack vector as a cybercriminal is their technical capabilities. QR codes can be used to access links, documents, or even payment portals (Malwarebytes, n.d.). This creates a large variety of attacks that is possible after a victim has scanned the code. Another reason quishing is so powerful is that you cannot typically view where a QR code will redirect you before you use the code if it has been stored as an image (Malwarebytes, n.d.). After a victim has scanned a quishing code they are typically either sent to a malicious site to get some kind of personal information from them or malware is downloaded onto the victims device (Malwarebytes, n.d.). Like other phishing tactics, quishing is a tool used to lure people to another attack and quishing is just the first step in the cybercriminals plan of exploitation.

Prevention and Mitigation

Due to the recent growth in QR code usage quishing remains a powerful attack vector for cybercriminals. As cybersecurity professionals there are a few ways we can help our business and other individuals from falling victim to this new robust phishing tactic. One way to prevent quishing attacks is taking the long way to the resource you are trying to reach (Malwarebytes, n.d.). Although this is inconvenient this is a good tactic to use to avoid not just quishing but also many other phishing attacks. For example, if you see a QR code for a parking ticket you got to pay for online you should try to find the website on your own first instead of blindly following where the QR code will take you. Another way we can avoid quishing attacks is to check the associated URL of the QR code (Nadeau, n.d.). This isn't always an option however a lot of the time you can try and verify the integrity of the resource by checking the URL you are being redirected to. The last mitigation I will discuss comes from Cloudflare they offer an email security service that will actually be able to identify the use of a QR code in an email and then they will inspect that QR code to see if it is a possible quishing risk (Cloudflare, n.d.). This service provides a great solution to the issue of QR codes being able to bypass typical email security protocols since they are interpreted as images. By utilizing these different mitigation techniques, quishing can be prevented for businesses as well as individuals.

Conclusion

QR codes are a very useful and convenient new piece of technology, however like many other new technologies there are new vulnerabilities associated with them. Phishing has been an effective attack method for cybercriminals however they are now utilizing QR codes to deliver attacks in a new way. Hopefully more technical solutions to quishing are created although solutions we discussed including the Cloudflare email security tool are great progress. With the efficiency of this new phishing tactic, it is important cybersecurity professionals are spreading awareness of this severity of this new attack vector. Quishing shows us how cybercriminals are constantly searching for ways to exploit new technologies to try and evade typical cybersecurity solutions.